Another major focal point of the debate last week was around information security, something that I presented around in-depth. My tenet is that banks should place themselves firmly at the heart of information security and offer customers a secure data vault.
The bankers' reaction to this is: doesn’t that make us a target for hackers, and yes, that’s the exact point. Banks should beat the hackers at their own game and make bold claims like: we guarantee your money and your data is 100% safe with us. After all, if banks don’t do this, who will?
The answer came from another respondent in the financial audience from a major global bank: we are not positioned to do this, we do banking. You should leave secure data management to people who know how to do this, like Google and Facebook and PayPal.
Oh dear. Let’s just give the whole game away to someone else shall we?
Anyways, I won’t bang on about that too much, as I’ve done so already, but it’s a very short-sighted banker who thinks that by letting others securely manage data whilst they just focus upon managing money is a long-term play.
But it is a serious issue, with €1.5 billion stolen in just the European Union in 2011 through card fraud, 60% through Card Not Present (CNP) fraud, according to the European Commission.
So what can banks do about it?
This question was answered firmly by Tavlaş Tolga, Vice President of internet and Mobile Banking for Yapi Kredi Bank, the Turkish subsidiary of Unicredit Bank (ed: another Turkish Bank?).
Tavlaş picked out a few key instructional videos to use in his presentation.
The first I loved. It’s an advert for being safe online that was promoted in Belgium through the SafeInternetBanking.be campaign that shows Dave, an extremely gifted clairvoyant, freaking out innocent victims in a demonstration of David Copperfield levels of mind reading.
Well worth a watch (and a steal maybe).
The second came from Trend Micro that shows cybercrime activity in the mobile world, and is less entertaining but equally instructional.
I liked both videos, as they show our insecurities, but what are the solutions to insecurity?
All things that have dissipated when even the Federal Reserve can be hacked.
It was this point that got the heckles up of my banking friend, who asked me: how can we claim to be bulletproof, when even the Federal Reserve isn’t?
I couldn’t help but think maybe he’s right, but he’s not.
After all, the point of banks is to be secure and the Federal Reserve is more like a Government Agency than a bank.
Note that the Fed is actually a hybrid of the two, as it’s a Central Bank run by the Government of the United States as a Private Entity, not as a government department.
So I hark back to more competitive commercial entities like the New York Stock Exchange and still remember Steve Rubinow, EVP and CIO at NYSE Euronext, talking at a conference a few years ago about the US Department of Defence being attacked by the Chinese (was it really?) and compromised, along with other government departments, but their systems deflected such hacktivism.
So it can be done, can’t it?
Either way, the Europeans have responded by created a new division called EC3, the European Cybercrime Centre at Europol., and Paul Gillen, Head of Cyber Operations, provided a bit more background about their remit and charter.
The EU has had some form of activity to focus upon cybercrime for years, but this is now a consolidated unit explicitly mandated to tackle the areas of cybercrime:
- committed by organised groups to generate large criminal profits such as online fraud;
- which causes serious harm to the victim such as online child sexual exploitation; or
- which affects critical infrastructure and information systems in the European Union;
… and launched on 1st January 2013.
The unit was created in recognition of the fast rise of new forms of crime, and the ease with which it virally circulates. For example, 2011 saw Android mobile threats grow from zero to 450,000 distinct attacks in just one year, according to Trend Micro who partner with EC3.
The fact is that we will always have criminals after where the money is and, today, the money is in the data.
That brings me back to banks having to step up to the secure data challenge and it will disappoint me immensely if they don’t.
Now I could make this blog a lot longer by getting into issues of identity management, hacktivism, anonymous, wikileaks and more, but I’m going to leave it there for the moment as I have a day job to get back to.